[BUG] Permission bypass: git commit/push execute without approval despite requireApproval configuration

Resolved 💬 3 comments Opened Dec 3, 2025 by spallen Closed Dec 7, 2025

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Git commands (git commit and git push) listed in the ask array in .claude/settings.local.json are bypassing the approval prompt and executing directly without user confirmation.

Severity: High - This is a critical security/safety issue affecting user control over destructive git operations.

Configuration (.claude/settings.local.json):

{
  "permissions": {
    "allow": [
      "Bash(git add:*)",
      "Bash(git checkout:*)"
      // ... other allowed commands
    ],
    "deny": [],
    "ask": [
      "Bash(gh pr create:*)",
      "Bash(gh pr merge:*)",
      "Bash(git commit:*)",     // ← Line 134: Should require approval
      "Bash(git push:*)",        // ← Line 135: Should require approval
      "Bash(git push --force:*)",
      "Bash(git rebase:*)",
      "Bash(git reset --hard:*)",
      "Bash(rm:*)"
    ]
  }
}

Observed Behavior:

  • git add package.json yarn.lock - Correctly auto-approved (in "allow" list)
  • git commit -m "fix: upgrade Next.js 15.5.7 & React 19.1.2..." - Bypassed approval prompt
  • git push - Bypassed approval prompt

Impact:

  • Users lose control over destructive git operations
  • Configuration-based safety checks are ineffective
  • Could lead to unwanted commits/pushes to remote repositories
  • Breaks user trust in the permission system

Note: User confirms this feature worked correctly in previous Claude Code sessions, indicating this is a recent regression.

What Should Happen?

When Claude Code attempts to run a command matching patterns in the ask array:

  1. Command execution should pause before running
  2. User should see an approval prompt in the UI
  3. Command should only execute after explicit user confirmation
  4. User can choose to approve or deny the command

Expected Flow:

Claude: "I'll commit these changes"
[Uses Bash tool with: git commit -m "message"]
→ UI SHOWS APPROVAL PROMPT ←
→ User clicks "OK" or "Cancel" ←
→ Command executes only if approved ←

Pattern Matching:

  • Commands in "allow" array → Auto-approve immediately
  • Commands in "ask" array → Show approval prompt, wait for user
  • Commands in "deny" array → Block execution
  • Commands not matching any pattern → Ask for approval (default safe behavior)

Error Messages/Logs

**User Feedback** (confirming unexpected behavior):

> "how did you commit that without my approval? you have specific rules that REQUIRE me to manually approve a git commit"

> "I always say let's commit this and still when you run the git commit command it always prompts me to actually say whether or not it's okay. You've never bypassed that prompt before."

**Claude Feedback**
I see what happened - the push went through without an approval prompt. This is the second time permissions were bypassed
  (commit and now push). This is a serious issue.

  Let me check the git push result - it appears to have succeeded (showing the file list being pushed). But you're absolutely
  right that you should have gotten an approval prompt before this executed.

  What just happened:
  1. The git commit earlier bypassed the approval prompt (should have asked for permission)
  2. The git push just now also bypassed the approval prompt (should have asked for permission)

  Both commands are in your requireApproval list in .claude/settings.local.json, but neither triggered the expected permission
  dialog.

  This suggests either:
  1. A bug in the approval system
  2. Something about my session state that's bypassing permissions
  3. The way I'm invoking Bash commands is somehow skipping the approval check

**No Error Messages Displayed**:
- No warnings in Claude Code UI
- No console errors
- Commands execute silently as if auto-approved
- No indication that approval was bypassed

**Environment**:
- **OS**: macOS (Darwin 25.1.0)
- **Claude Code Version**: [Current version - December 2025]
- **Date Observed**: 2025-12-03

Steps to Reproduce

Setup

  1. Create .claude/settings.local.json in your project:
{
  "permissions": {
    "allow": [
      "Bash(git add:*)"
    ],
    "ask": [
      "Bash(git commit:*)",
      "Bash(git push:*)"
    ]
  }
}
  1. Make some changes to a file (e.g., edit package.json)
  1. Stage the changes:
git add package.json

Reproduction

  1. Start a Claude Code session
  1. Ask Claude to commit the changes:
  • User input: "Okay, let's commit this and push it."
  • Expected: Approval prompt appears for git commit command
  • Actual: Command executes immediately without approval prompt
  1. Observe that git push also executes without approval prompt

Verification

  1. Check git log to confirm commit was created:
git log -1
  1. Check remote to confirm push succeeded:
git log origin/main -1

Both operations completed without any approval prompts appearing in the UI.

Additional Context

Working correctly:

  • Commands in the "allow" array auto-approve as expected
  • Pattern matching works for allowed commands (e.g., git add:* auto-approves)

Not working:

  • Commands in the "ask" array bypass approval prompts
  • Affects critical git operations (commit, push)
  • No error messages or warnings displayed

Possible Root Causes:

  1. Pattern matching regression in permission system
  2. Permission cache not respecting "ask" array
  3. System prompt override bypassing local settings
  4. Recent Claude Code update introducing regression

Claude Model

Sonnet (default)

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.0.58 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Cursor

Additional Information

Suggested Fix (by Claude code)

Ensure commands matching patterns in the ask array always trigger approval prompts before execution, regardless of:

  • Conversation context
  • Previous approvals in the session
  • System prompts or default behaviors

The permission system should strictly enforce the configuration hierarchy:

  1. Check "deny" array → Block if matched
  2. Check "ask" array → Show prompt if matched (CRITICAL: This is broken)
  3. Check "allow" array → Auto-approve if matched
  4. Default → Show prompt (safe fallback)

---

Workaround

Currently no workaround available.

Users must:

  • Manually monitor terminal output for git operations
  • Manually verify git history after each Claude Code session
  • Cannot rely on configuration-based safety checks

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗